We often hear stories about how criminals take advantage of people who reuse their passwords across websites and don’t enable two-factor authentication (2FA).

But, recently it appears these roles were reversed when police in the Netherlands shut down the criminal activity of a number of dark web vendors who reused their own credentials and didn’t enable 2FA on their accounts.

According to cryptomarket researcher @5auth, as of 24 July 2017, up to 16 accounts on the dark web marketplace Dream Market were under control of the Dutch Police:

Means: all of these vendors sold on Hansa without 2fa and used the same password on Dream.

Sophos Home

While Hansa and AlphaBay fell, another dark market, Dream Market, seemed untouched by authorities and many of the affected vendors moved their operations there.

However, there was rampant speculation that Dream Market was either actively compromised and being monitored by authorities, or that it was only a matter of time until it too was shut down.

Earlier this week, it looked like the shoe finally dropped for at least 16 vendors on Dream Market, but it doesn’t appear that the authorities used any high-powered tricks in their takedown. Instead, it looks as though the Dutch police simply reused credentials they’d already captured.

According to at least one of the vendors themselves on the /r/DarkNetMarkets subreddit, they hadn’t changed their password after Hansa was taken down, and they also hadn’t enabled 2FA, or were unable to enable it.

“Guys, I am one of those vendors. I can clearly say that (at least) my account was seized by dutch LE. I think they came on it through my sillyness using same password on hansamarket. All my informations got changed during the night they took hansamarket offline.”

Though we have no confirmation from the Dutch police as yet, if this was a matter of credential reuse it was trivial for the police to log in to vendor accounts and completely take them over, shutting the vendors out of their own accounts and swapping the vendors’ PGP keys to ones owned by the Dutch police.

The vendors taken offline seem to be garnering little sympathy from their peers for their lax security practices. “You likely didn’t have 2FA enabled in the first place… and used the same password as on Hansa,” wrote one user in the DarkNet Market UK subreddit. “You should know better.”